AICPA 2007 Top Technology Initiatives

The late, great science-fiction author Isaac Asimov penned much wisdom. In his somewhat autobiographical, “My Own View,” he opined on change: “It is change, continuing change, inevitable change, that is the dominant factor in society today. No sensible decision can be made any longer without taking into account not only the world as it is, but the world as it will be …. This, in turn, means that our statesmen, our businessmen, our everyman must take on a science fictional way of thinking.”

Those words, while true when written more than 25 years ago, hold even more truth today. We, as a society and a profession, face a heart-throbbing rate of change led by technology, and while our response is often “technological,” it is equally important that we respond with appropriately adapted business rules. More colloquially put, we must learn to “roll with the punches.”

The AICPA’s 18 th Annual Top Technology Initiatives listing is a great barometer of change. In addition to its Certified Information Technology Professional (CITP) Credential holders and IT Section members, the AICPA collaborated with the Information Technology Alliance (ITA) and ISACA, whose members also participated in the survey because they share similar perspectives on the top technologies impacting practitioners and technology professionals who work closely with practitioners today. More than 1,500 participants ranked 30 technology initiatives they felt will have the most significant impact in the next 12 to 18 months.

The component issues come and go — rise and fall — and while the individual issues influence each of us differently, the over-arching weight of “change” affects us all. By discussing the individual components of the 10 most highly rated technologies, the purpose of this article is to help accountants recognize and (hopefully) avoid the dangers, while capitalizing on the opportunities of what Asimov so skillfully described as “change, continuing change, inevitable change.”

Information Security Management

I’m certain that as we evolved from hunter-gatherers to agrarian farmers, one of the first problems we solved was security. We had to lock up our crops and livestock (the measure of wealth in that society) to prevent theft — and we’ve been locking up our treasures ever since. Looking back, it seems as if it were easier. After all, a cow is pretty large, which makes it easy to protect. Unfortunately, today’s “treasure” is small — in fact, invisible. And because technology is so advanced, today’s treasure is very difficult to protect. I’m referring, of course, to electronic information (data). Coincidentally, Information Security has been the number one AICPA Top Technology for five years running.

This issue includes efforts and processes designed to protect your data from malicious or unauthorized access. While those of you in business, industry, government and education certainly have a challenge and an obligation to safeguard your company, agency or organizational data, CPAs and accountants in public accounting have an even bigger challenge and obligation.

Your clients look to you for leadership and guidance in how to protect what is, in many cases, their single most valuable asset — electronic data. In either case, your responsibility is to make sure that the firewall is properly deployed and updates are regularly installed and done so in a timely fashion. Virus signatures must be constantly updated; in fact, some best practices call for hourly checks. And, as rudimentary as it sounds, every machine should be set to automatically download and install operating system updates.

Your information security management system is analogous to a chain; it is only as strong as its weakest link. As a practitioner, you can, and should be, looking for that weakest link and helping to correct the weakness. Con sequently, because security is a journey and not a destination, you must then move to the next weakest link and try to correct that weakness.

Identity and Access Management

Closely related to number one, this issue deals with the question, “Who’s who on the Internet?”

The old joke, “On the Internet, nobody knows you’re a dog,” was funny early on in the days of simple chat rooms (remember CompuServe?) — before we began to shop, bank, travel and invest electronically. Today, it’s not nearly as funny to realize that technology advances have made it very, very difficult for someone to know exactly with whom he or she is “talking.” Or, worse yet, with whom he or she is transacting business.

“Identity and Access Management”surrounds exactly that problem. How can I, as a consumer, be certain that I’ve logged on to my bank’s server instead of to some very well-designed “look alike” site that will try to steal my user ID and password? The flip side, and certainly just as important, is how the bank (or store, brokerage, airline — you get the point) can make sure I am who I say I am. In other words, am I really the myself and am
I truly authorized to do what I’m attempting to do? This is, in essence, a technologically created problem that (as usual) needs business process and technology components for a solution.

Consumer intervention is paramount and perhaps even more important in the business environment. Accountants should be keenly aware of the imple mentation of digital certificates because they play an integral part in solving the “identity” problem on the Internet. Properly deployed, a digital certificate can help authenticate an individual
e-mail or even a full website. For example, companies such as VeriSign systematized a method for the signatures on a certificate to be matched to attestations by the certificate signer to assure users that the identity information is as indicated. In this case, certificates are usually issued by class: Class 1 for e-mail, Class 2 for organization wishing to prove identity and Class 3 for servers and software signing.

The current best practice in which an individual can prove his or her iden tity to a server is rapidly moving to the
T-FA or “dual factor approach,” which requires independent methods of establishing who I am. The factors can be who I am (a biometric reading such as a fingerprint, retinal scan or facial recognition), what I know (a user ID and or password), or what I have (a fob — electronic security device — a USB device or smart card).

Conforming to Assurance and Compliance Factors

The Sarbanes-Oxley (SOX) issue first arose as a top technology issue last year and claimed the number two position. This year, it remains strong at number three, and, unless you’ve been living under a business rule, auditing and technological rock, you certainly expected it here again this year.

Accountants in business and industry, and public practice are reeling under the burdens of extensive new reporting and documentation requirements; SOX 404 work has become both a boon and a bane to thousands of firms. Here, new technologies are once again a problem and solution, and the profession is rising to the challenge of risk management through continuous monitoring (auditing).

Privacy Management

Moving up a notch from its debut on last year’s list is
privacy management. While existing regulations (Gramm-Leach-Bliley, HIPAA) control the disclosure and retention of certain personal information, emerging technology appears to be causing, or at least allowing, yet another problem. As the Internet becomes more and more pervasive in our lives, and the promise of Web 2.0 begins to unfold, concern about privacy is moving from the wild-eyed radical to the mainstream.

Last August’s disclosure by AOL of a “mega-store” of partially anonymized search queries detailing the search habits of 20 million of its users quickly backfired when The New York Times identified Thelma Arnold, a 62-year-old widow from Lilburn, Ga. While Ms. Arnold’s searches were as commonplace as yours or mine (they ranged from “numb fingers” to “60 single men”), the fact that these searches could be so easily traced back to her — all the way down to her exact street address — caused the giant search engines to reconsider their disclosure of private information.

Privacy Management will continue to grow in importance as more and more data is captured and eventually aggregated. As technology progresses, deep data-gathering will become much more pervasive, society will demand more and more “privacy,” and businesses (and governments) will see more and more ana lytical value in that data. Accountants are in a unique position to advise both parties, and professionals who understand the technologies used in these examples will be in an even more enviable position.

Disaster Recovery Planning (DRP)/Business Continuity Management (BCM)

DRP/BCM is another repeat on this year’s list. It placed fifth in 2005, but rose (prob ably on the strength of the Katrina/Rita catastrophe) to third last year, falling back to fifth for 2007.

Early on in the application of technology to public accounting, DRP meant “backup,” plain and simple. To many (usually smaller) of today’s practices and businesses, that’s still all it means. Fortunately, the profession is rapidly embracing the concept of full DRP — a plan that is developed, monitored and updated, and includes contingencies for loss of, or impaired access to, data and/or other resources from theft, vandalism or malicious damage, natural disasters, viruses, and other maladies. Studies con sistently show a nearly 90 percent failure rate for unprepared businesses hit with a significant disaster.

BCM is rapidly being adopted as an important com ponent of a comprehensive plan. It’s interesting to note that the fragile nature of the technology — electronic data — that has helped so many become productive actually requires so much attention to be paid to its replacement. Wise accountants will continue to develop and maintain their own plans (this is a journey, not a destination!) and counsel their clients to do the same.

IT Governance

New to the list last year at number four, this issue, even though coming in at number six for 2007, is obviously retaining mind share. Then again, it probably should, because we are, after all, accountants!

The concept of governance in IT becomes more and more important as IT matures and we leave the 1990s’ cowboy approach of “spend now and plan later” to develop a more business-like approach of assuring that technology investments add value while balancing risk versus return. Top performers now regularly carefully calculate IT ROI to consider decisions around technology investments and how to optimize related returns.

Accountants should be keenly aware of this sea change as midsize and small entities move to more formal IT governance programs. These more formal approaches will actually be more comfort able for our profession because we would stereotypi cally desire a conservative model. This changing manner in which businesses and firms are dealing with technology implementation provides accountants a particularly valuable voice — one of doc umentation and determination.

Securing and Controlling Information Distribution

This issue, probably more easily recognized by its consumer name of “Digital Rights Management,” makes its first appearance on the Top Technologies Initiatives list. While the Recoding Industry Association of American (RIAA) has had the issue as its solid number one concern for years, it is now beginning to get noticed in non-entertainment mainstream business.

The old adage, “content is king,” continues to be true, and the very technologies that attract users/listeners/readers/viewers — instant, anywhere access to whatever content I want — has become the bane of content providers. From entertainment to professional research to software, the question of protection of IP rights is looming large for accountants. Everyone has an opinion; in fact, some have multiple opinions!

Case in point is Microsoft’s new Zune MP3 player (think the Microsoft version of the iPod), which turns out to be incompatible with the company’s own “PlaysforSure” digital rights management scheme.

At the pure business-to-business level, new technologies are emerging that provide assurance to an e-mail recipient that the e-mail did, in fact, come from the sender. This genre of technology can also provide non-repudiation certification to the recipient while assuring prevention of the document being opened by anyone other than the intended recipient. Finally, these technologies can prevent the printing, filing or forwarding of messages, and even determine a date and time for their automatic destruction.

Mobile and Remote Computing

New to the list, but catching a lot of attention and almost certain to continue to do so in the future, are the issues surrounding mobile and remote computing. It was nearly two decades ago that technologists began postu lating a vision for computer access “anytime, anywhere, on any device” — and this thinking seems to have (nearly) arrived.

Mobile and remote computing requires three separate development tracks: connectivity (ubiquitous bandwidth); affordable, durable and appro priately functioning hardware; and software to provide applications and data with proper duplication and, preferably, synchronization. Perhaps 2007 will be the year all three emerge.

Wireless: WiFi (802.11x) has gained an enormous following, and the technology world is anxiously anticipating the newest standard — 802.11n. Meanwhile, over on the cellular front, carriers rolled out EVDO (Evolution-Data Optimized), a wireless radio broadband data standard. Road warriors are flocking to it and its slower cousin, EDGE (Enhanced Data rates for GSM Evolution), for their speed, simplicity and security.

Hardware: We’ve seen a blur ring of laptops, tablets, handtops, Smartphones, Treos and other devices sporting more and more horsepower with lower prices.

Remote Access: Finally, we’re beginning to see excellent software solutions for remote access. Several years ago, Citrix bought GoToMyPC and effectively made the name almost “household” in many small business circles. Microsoft’s current operating system and server software include the widely used Terminal Services. Dozens of third-party providers launched specialized solutions all aimed at safely, securely and effortlessly connecting the remote worker to his or her applications, data and resources.

At the CPA firm level, these developments mean huge opportunity; yet, it is an opportunity requiring a shift in business practices. The well-informed practitioners of 2007 and beyond will be in constant contact, able to work and collaborate anytime, anywhere, and from almost any device.

Electronic Archiving and Data Retention

The issues around archiving and data retention are also new on the 2007 list. As IT continues to become more mainstream, practices and businesses (and their clients, employers and customers) are beginning to wrestle with the finer points of maintaining data.

Until a few years ago, most enter prises were satisfied with a simple “backup” of data. Today, that’s simply not enough. Best practices can provide significant efficiencies in space required to store and, more importantly, access that information. Professional and legal regulations now detail exactly what information can, and must be, retained, and for exactly how long. Accountants must stand ready to meet those requirements internally, helping to interpret them and implement plans to meet the needs of their clients.

Document, Content and Knowledge Management

The final technology issue on the 2007 list expanded from a narrower “paperless document” issue on the 2006 list to include the closely related, but substantively different issues of content and knowledge management.

Graduate management schools have long taught the DIKW hierarchical model — Data, Information, Knowledge and Wisdom. It’s interesting to note that technology is now mirroring that model as efforts move from the simple “paperless office” paradigm to the far more valuable (hence the information hierarchy) content and knowledge management.

While firms and businesses originally only dealt with PDFs, they are now moving toward systems that manage dynamic as well as static information, and are looking to full OCR (optical character recognition) solutions to deal with “content.” Eventually, they will move to the contextual as they add structure and control to information, thereby harnessing the intellectual capital contained in the underlying data.

Look to the Future

Those are the 2007 Top Technology Initiatives. Have they changed from previous years? Yes. Will 2008 change, too? Again, the answer is yes. New technologies come to the forefront, and the profession struggles briefly and, again and again, adapts.

The 2007 list represents huge opportunities for the informed — and huge threat to the uniformed. While the issues are basically about “technology,” the solutions (as usual) lie in adapted business practices. Your challenge is to react as Asimov suggested: “Take on a science fictional way of thinking.”

Greg LaFollette is executive editor of The CPA Technology Advisor and senior manager of Tax and Technology Consulting with Eide Bailly, LLP. He chairs the AICPA’s CITP Credential Committee and serves on the TECH+ Planning Committee and the Top Techs Task Force. He authors www.TheTechGap.com, one of the profes sion’s most widely read blogs, and hosts the profession’s first regularly scheduled recurring Podcast, Tech2Go, available through The CPA Technology Advisor’s Podcast series “Intersection Live.”